Industrial control systems security needs more work

Federal agencies and industries that use industrial control systems must avoid applying standard information security measures to secure such systems, an engineering expert advised members of the federal Information Security and Privacy Advisory Board, which met Sept. 13.

Keith Stouffer, a mechanical engineer at the National Institute of Standards and Technology’s Intelligent Systems Division, said standard antivirus protection and encryption technologies applied to industrial control systems could shut them down and, in some cases, create a public safety hazard.

Industrial control systems are typically field devices known as programmable logic controllers. “They’re basically stripped down PCs,” Stouffer said. They can’t handle cryptographic functions, such as authentication and encryption, which makes them vulnerable, he added.

Newer industrial control systems are built with Microsoft Windows operating systems and IP protocols “because they’re cheaper and easier to use,” Stouffer said. But by replacing systems built with specialized proprietary software and protocols, government and commercial industries have made their industrial control systems vulnerable to cyberattacks.

“That transition happened without thinking about security,” Stouffer said. “Now we’re having to fix what we asked for.”

Work is under way to develop security configurations for industrial control systems, he added.

Stouffer said many industry executives are unaware of cybersecurity vulnerabilities in their factories and critical infrastructures. “A lot of the higher-ups don’t know they have modems connected to the Internet,” he said. Cyberattackers can use tools called war dialers to find modems connected to industrial control systems.

The nuclear industry is probably safer than most, added Bruce Brody, the Energy Department’s associate chief information officer of cybersecurity and a member of the security advisory board. The nuclear industry still relies on proprietary protocols, so the security threat is not as great, he said.

Featured

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/Shutterstock.com)

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected